jln@eecs.nwu.edu (John Norstad) (11/17/88)
Someone asked for a list of known Mac viruses and their resource
identifications, so that users of Virus Detective could update the
list of suspicious resources, and so that users of ResEdit would know
what to look for.
Here's what I know about Scores and two strains of nVIR:
Scores infected system files:
Type ID Size Files
---- ---- ----- ------------------------------
INIT 6 772 System, Note Pad File, Scrapbook File
INIT 10 1020 System, Desktop, Scores
INIT 17 480 System, Scrapbook File
atpl 128 2410 System, Desktop, Scores
DATA -4001 7026 System, Desktop, Scores
Scores infected applications:
Type ID Size
---- ---- -----
CODE n+1 7026
where n = the id of the first unused CODE resource. For example,
if the application has CODE resources numbered 0,1,2,3,4,5, then
n=6 and the viral CODE resource is numbered n+1=7.
nVIR infected System file:
Type ID Size A Size B
---- ---- ------- -------
INIT 32 366 416
nVIR 0 2 2
nVIR 1 378 428
nVIR 4 372 422
nVIR 5 8 8
nVIR 6 868 66
nVIR 7 1562 2106
nVIR infected application:
Type ID Size A Size B
---- ---- ------- -------
CODE 256 372 422
nVIR 1 378 428
nVIR 2 8 8
nVIR 3 366 416
nVIR 6 868 66
nVIR 7 1562 2106
Unlike Scores, nVIR does not infect any files in the system folder
other than the System file itself. The two columns "A" and "B" above
are the sizes for what I call "nVIR strain A" and "nVIR strain B".
Hope this helps.
John Norstad
Academic Computing and Network Services
Northwestern University
Bitnet: jln@nuacc
Internet: jln@nuacc.acns.nwu.edu
jln@eecs.nwu.edu (John Norstad) (11/18/88)
I made a mistake in my "Viral Resources" posting. nVIR DOES infect system folder files other than the System file itself (e.g., Finder and DA Handler). I was thinking of the "first prong" of the attack, when an nVIR-infected application first infects a previously clean system. Finder and DA Handle get infected during the "second prong", when the infected system starts infecting other applications and things that look like applications like the Finder and DA Handler. Scores, by the way, also has this behaviour. Sorry for the confusion. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu
alexis@ccnysci.UUCP (Alexis Rosen) (11/18/88)
It should be noted that nVIR also patches some resources, not just adds some. I believe that it patches CODE 1 (or was it CODE 0? John?) /Alexis
MacUserLabs@cup.portal.com (Stephan - Somogyi) (11/20/88)
The affected CODE resource is 0. CODE 0 contains the jump table that gets patched so that the viral code gets executed before the application's code. Stephan <---------------------------------------------------------------> Stephan Somogyi Software Engineer MacUser Labs 950 Tower Lane, 18th Floor Foster City, CA 94404 ...sun!cup.portal.com!MacUserLabs or MacUserLabs@cup.portal.com BIX: mulabs CIS: 72511,16 MacNET: MULABS FAX: (415) 378-5675 The opinions expressed may or may not represent those of my employer